Operating systems typically contain a mechanism for specifying applications to be loaded when the operating system starts-up. For example, Windows has specific locations in the registry that used to load applications, such as the Run (sub) key in the HKEY_CURRENT_USER key and the HKEY_LOCAL_MACHINE key. Such registry keys are known as load points. Values can be written to load points that specify files to be loaded and run during the operating system boot process. There are many legitimate reasons for an application to be loaded when the operating system starts-up, and these locations in Windows are used by many legitimate programs for benign purposes.
In addition to their legitimate use, load points can be used as attack vectors for malware such as viruses, Trojan horses, worms and spyware. Because the program specified by a load point is loaded each time the operating system starts-up, introducing malware into computer through a hacked load point allows the malware to survive a reboot. This makes load points an attractive target for propagators of malware.
Some anti-malware programs check the files that launch from registry load points, to detect whether they comprise known malware, or have suspicious characteristics such as a random name. However, new malware or malware that is not distributed by a suspicious source can go undetected by such checks.
It would be desirable to address this issue.